Security governance is the means by which you control and direct your organisation’s approach to security. When done well, security governance will effectively coordinate the security activities of your organisation. It enables the flow of security information and decisions around your organisation.
Just as security is the responsibility of everyone within an organisation, security decision making can happen at all levels. To achieve this, an organisation’s senior leadership should use security governance to set out the kinds of security risks they are prepared for staff to take, and those they are not.
What approach to security governance is right for me?
There is no ‘one size fits all’ approach to security governance. The approach you eventually adopt will vary. At one extreme you may choose a formalised security framework, with clearly defined roles and business processes. At the other you may choose a more informal approach to directing, controlling and making security decisions.
Answering the following questions will help you decide how formal your approach should be:
- How large and complex is your organisation?
- What resources are available for security governance?
- What does your organisation do, and how important is security to those aims?
- Are there any external considerations (for example contractual, legal, regulatory or sector specific requirements)?
In practical terms, the correct approach means identifying:
- The security decisions that need to be made.
- The people who will make them.
- The information required to make sensible and informed choices.
What does a good approach to security governance look like?
Regardless of the level of formality, good governance should:
- Clearly link security activities to your organisation’s goals and priorities.
- Identify the individuals, at all levels, who are responsible for making security decisions and empower them to do so.
- Ensure accountability for decisions.
- Ensure that feedback is provided to decision-makers on the impact of their choices.
- Any approach to security governance should fit into an organisation’s wider approach to governance. Security needs to be considered alongside other business priorities, such as health and safety, or financial governance.
Decide upon an approach that is right for your organisation
You should consider the problems, which face your organisation and decide upon an approach that is right for you. This is important because adopting a security governance process does not, in and of itself, achieve good security. The act of governance should not be separated from the day-to-day operation and maintenance of good security.
For example, it is not sufficient for senior leadership to simply state that ‘security risks are unacceptable’. Doing so will force staff to take risks based only on their personal knowledge and experience, without fully considering the priorities of your organisation.